Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Under Armour Reports Data Breach Impacting 150 Million User Accounts

Under Armour's MyFitnessPal database was somehow breached, exposing information on users including email information and hashed passwords. The company claims that payment card information was not stolen in the breach.

WEBINAR:On-Demand

The data breach specifically involves users of Under Armour's popular MyFitnessPal application, which provides exercise, diet and calorie counting capabilities. The company detected the breach four days ago and is now reaching out to users to inform them of the event.

"On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018," Under Armour stated in a press release. "The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident."

Further reading

According to the initial investigation, an "unauthorized party" was able to get access to 150 million MyFitnessPal user accounts. Under Armour has not publicly identified the root cause of the breach.

"Once we became aware, we quickly took steps to determine the nature and scope of the issue," an Under Armour list of frequently asked questions (FAQ) states. "We are working with leading data security firms to assist in our investigation."

Password Hashing

The data taken in unauthorized access includes usernames, email addresses and hashed passwords. Rather than storing passwords in plain text, which is inherently insecure, hashed passwords are scrambled cryptographically. Under Armour specifically noted that it was using the bcrypt hashing algorithm to protect its user passwords.

The use of bcrypt for hashing passwords is not uncommon and has been cited by other breached companies in the past as a way to reassure users that their stolen hashed password databases cannot be easily re-used. In 2016, when Yahoo first reported its massive data breach impacting over 500 million account, the company emphasized its use of bcrypt.

Adult infidelity website Ashley Madison, also highlighted its used of bcrypt after its 2015 data breach impacted 37 million users. Following the Ashley Madison breach, multiple groups of security researchers attempted to de-crypt the hashed passwords, with limited success.

Credit Card Information

Of particular note in the Under Armour breach is fact that the attackers did not get access to any payment card information. The company noted that payment card data was not affected because it is collected and processed separately.

"The affected data did not include government-issued identifiers (such as Social Security numbers and driver's license numbers), which the company does not collect from users," Under Armour stated.

Next Steps

Under Armour has reported the breach to law enforcement and an investigation is currently underway. Users of the myfitnesspal app are also being contacted by Under Armour about the breach and are being advised that they will need to change their passwords. Users are being sent information on further steps they can take to protect their data.

While it's currently unclear precisely how the attackers got access to the Under Armour user information, the company has pledged to do better.

"We continue to make enhancements to our systems to detect and prevent unauthorized access to user information," Under Armour stated.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.